From: The SANS Institute (NewsBitessans.org)
Date: Tue Oct 21 2008 - 12:26:19 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Only eight more days to save $350 on SANS big winter training program
in Washington, DC (12/10 - 12/16). Features SANS eleven best courses
including new pen testing and forensics - preparing you for the two
hottest career paths in security. Register at http://www.sans.org/cdi08

*************************************************************************
SANS NewsBites October 21, 2008 Vol. 10, Num. 83
*************************************************************************
TOP OF THE NEWS
  Court Says Pair Must Turn Over Encryption Keys
  Mobile Phone Buyers in UK May Have to Provide Identification
  EFF Challenges Constitutionality of New FISA Law
THE REST OF THE WEEK'S NEWS
  ARRESTS, CHARGES & CONVICTIONS
    Guilty Plea in Scientology Web Attack
  GOVERNMENT SYSTEMS AND HOMELAND SECURITY
    Audit Finds Fault With Physical Security at the Canada Revenue Agency
    DHS Inspector General Report Says Portable Storage Device Security
       Lacking
    South Korean Prime Minister Warns of Cyber Attacks
  EVOTING
    Supreme Court Vacates Order Directing Ohio AG to Update Voter
       Database
  STUDIES AND STATISTICS
    Data Breaches at State and Local Level Far Exceed Those at Federal
       Level
  MISCELLANEOUS
    Georgian Cyber Attacks Traced to Russian Online Forum
    NIST Request for Information Seeks "Revolutionary Ideas" for
       Cyber Security

******************* Sponsored By Palo Alto Networks *********************

Attention Cisco PIX Users: Now that Cisco announced "end of life" for
its PIX Security Appliances, consider a transition to award-winning next
generation firewalls from Palo Alto Networks. Get unprecedented
visibility and control of all applications, users, and content - and get
instant rebates of up to $6,000! Learn more, watch this short webcast.

http://www.sans.org/info/34343

*************************************************************************
TRAINING UPDATE
- - SANS CDI in Washington 30 courses; big security tools expo; lots of
evening sessions: http://www.sans.org/ cdi08/
- - Monterey (10/31-11/6) http://www.sans.org/info/30738
- - Sydney Australia (10/27-11/1) http://www.sans.org/sydney08/
- - Vancouver (11/17-11/22) http://www.sans.org/vancouver08/
and in 100 other cites and on line any time: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --Court Says Pair Must Turn Over Encryption Keys
(October 16, 2008)
A British Court of Appeals has ruled that two men must divulge their
encryption keys to law enforcement authorities. The men maintained that
turning over the keys would be tantamount to self-incrimination and
therefore a violation of their rights. The court said that the right
not to incriminate oneself is not absolute; the password itself is not
incriminating and the keys and the computers' contents exist as separate
entities from the men. "In the eyes of the law, the information on the
computers is already in the possession of the police." One of the men
had been charged with offenses under the Terrorism Act for allegedly
helping a third individual move to a new location, despite an order that
required said individual to obtain permission from authorities before
moving. Both men had received notices under the Regulation of
Investigatory Powers Act (RIPA) ordering the keys' disclosure.
http://www.out-law.com//default.aspx?page=9514
[Editor's Note (Northcutt): Establishing this sort of case law is
important, the US just decided slightly differently (that you would have
to give up crypto keys, but giving up the pin that protects those keys
violates 5th amendment). My guess is that it will take a few more cases
like this to find the legal center. There are also concerns about
forcing travelers to decrypt data when entering customs, a particularly
interesting question since you are between two countries:
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=61#sID306]

 --Mobile Phone Buyers in UK May Have to Provide Identification
(October 19, 2008)
People purchasing mobile phones in the UK could be required to provide
a passport or other official identification under a government plan to
create a database of all mobile phone owners. The plan is aimed at
discovering the identities of people who buy prepaid mobile phones,
which can be paid for with cash and no personal information is required.
The office of UK Information Commissioner Richard Thomas says it is
likely that the "compulsory mobile phone register" will be part of
legislation introduced next year. Home Office officials have reportedly
said the plan may be illegal.
http://www.timesonline.co.uk/tol/news/politics/article4969312.ece
[Editor's Comment (Northcutt): I have been following this story and my
best guess is the plan is going to stick. I would greatly appreciate the
help of NewsBites readers in the UK. As news on this topic breaks,
please forward the link to stephensans.edu. ]

 --EFF Challenges Constitutionality of New FISA Law
(October 17, 18 & 20, 2008)
The Electronic Frontier Foundation (EFF) has filed court documents
challenging the legality of the FISA Amendments Act. The law grants
retroactive immunity to telecommunications companies that have helped
the National Security Agency (NSA) with wiretapping US citizens' phone
calls and email. The EFF maintains that the new FISA law violates
citizens' rights to due process of law as well as the federal
government's separation of powers. The EFF maintains that as most of the
eavesdropping under the new FISA law takes place without a warrant or a
subpoena and the authorization for the eavesdropping comes from the
president rather than the courts, the new FISA law violates citizens'
rights to due process of law as well as the federal government's
separation of powers.
http://www.eweek.com/index2.php?option=content&task=view&id=50041&pop=1&hide_ads=1&page=0&hide_js=1
http://www.vnunet.com/vnunet/news/2228565/eff-takes-shot-immunity-law
http://www.informationweek.com/news/telecom/policy/showArticle.jhtml?articleID=211201760

************************* SPONSORED LINK ******************************
1) Replace your desktop anti-virus or encryption for free - trade-up to
StormShield Security Suite
http://www.sans.org/info/34348
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CHARGES & CONVICTIONS
 --Guilty Plea in Scientology Web Attack
(October 17 & 18, 2008)
An 18-year-old New Jersey man has admitted to having a role in a
distributed denial-of-service (DDoS) attack against a Church of
Scientology website in January. The attack reportedly cased US $70,000
worth of damage. Dmitriy Guzner has pleaded guilty to one count of
unauthorized impairment of a protected computer. Guzner faces up to 10
years in prison and has agreed to pay US $37,500 in restitution.
http://www.theregister.co.uk/2008/10/17/scientology_ddos_guilty_plea/
http://www.vnunet.com/vnunet/news/2228567/teenage-hacker-charged-ddos

GOVERNMENT SYSTEMS AND HOMELAND SECURITY
 --Audit Finds Fault With Physical Security at the Canada Revenue Agency
(October 20, 2008)
The tax information of Canadian citizens is at risk of exposure due to
lax physical security. According to the June audit of the Canada
Revenue Agency, "certain exterior doors and interior perimeter doors
were not adequately secured." In three instances, electronic alarm
systems were defective, unarmed or missing. Other security
vulnerabilities noted in past audits have not been addressed. Many
employees were not aware of security standards at the workplace. The
Canada Revenue Agency also reported numerous pieces of equipment lost
or stolen last year, including 25 laptops, 17 cell phones, six
BlackBerries, five printers, a router and two video surveillance
cameras. The audit did not examine the agency's electronic data
systems.
http://www.edmontonsun.com/News/Canada/2008/10/20/pf-7141301.html

 --DHS Inspector General Report Says Portable Storage Device Security Lacking
(October 16, 2008)
According to a report from the US Department of Homeland Security (DHS)
Inspector General Richard Skinner, DHS has not taken adequate security
precautions with portable electronic devices that connect to its
unclassified computer systems. The report, "Review of DHS Security
Controls for Portable Storage Devices," says that while DHS has
developed policies regarding "acceptable use of portable storage
devices, ... the policies have not been implemented by the components.
[There is no] centralized process to procure and distribute portable
storage devices to ensure that only authorized devices that meet the
technical requirements can connect to its systems." The report
recommended that DHS "establish an inventory of authorized devices;
implement controls to ensure that only authorized devices can connect
to DHS systems: and perform discovery scans, at least annually, to
identify unauthorized devices.
http://www.fcw.com/online/news/154093-1.html
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_08-95_Sep08.pdf

 --South Korean Prime Minister Warns of Cyber Attacks
(October 14 & 15, 2008)
South Korean Prime Minister Hang Seung-Soo has warned his cabinet that
cyber attacks from China and North Korea have resulted in the thefts of
large numbers of state secrets. Prime Minister Han pointed to a lax
security environment in which public servants have used sensitive data
on personal computers or over the Internet. Government computer systems
are now subject to monthly security checks in an effort to thwart
further data theft. The majority of the documents stolen relate to
foreign policy and national security.
http://www.ioltechnology.co.za/article_page.php?iSectionId=2885&iArticleId=4659863
http://english.chosun.com/w21data/html/news/200810/200810150003.html

EVOTING
 --Supreme Court Vacates Order Directing Ohio AG to Update Voter Database
(October 17 & 18, 2008)
As US states switch from local voting rolls to statewide databases of
voters, inaccurate information has called into question some voters'
eligibility, prompting lawsuits across the country. The problems arise
when the information in the database does not mesh exactly with other
official records. In Alabama, some voters were incorrectly identified
as convicted felons. In Wisconsin, voters' eligibility was questioned
due to small discrepancies, such as a missing middle initial or a
mistyped birth date. Last week, the US Supreme Court blocked a
challenge to 200,000 Ohio voters based on information discrepancies.
Also, a judge in Michigan ruled that the names of thousands of voters
must be restored to voter rolls in that state after they were taken off
because of residency questions.
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/17/AR2008101703360_pf.html
http://www.washingtonpost.com/wp-dyn/content/article/2008/10/17/AR2008101703205_pf.html
http://www.supremecourtus.gov/opinions/08pdf/08A332.pdf

STUDIES AND STATISTICS
 --Data Breaches at State and Local Level Far Exceed Those at Federal Level
(October 20, 2008)
According to statistics from the Privacy Rights Clearinghouse, breaches
of systems at the local and state level of US government exposed the
personally identifiable information of more than 3.8 million American
citizens in the first nine months of 2008. The majority of the records
compromised arose from a July 2008 breach at the Colorado Department of
Motor vehicles that affected 3.4 million people. During those same nine
months, the number of records breached at federal agencies is reported
to be 23,024. The discrepancy calls attention to the need for
standardized data security at the state and local levels of government.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=47396
[Editor's Note (Weatherford): When asked by the FBI in 1934 why he
robbed banks, Willie Sutton replied, "Because that's where the money
is." Here's a provocative question, "Where is most American citizen PII
located?" The real question is this..."Who is actually doing more
reporting?" If you don't report it, maybe it didn't really happen and
doesn't become part of a statistic right? It's still easy to avoid
reporting a data breach if 1) you fail to accurately define an incident
as a data breach or 2) you don't know if a data breach even occurred.
A consistent enterprise Incident Management policy that helps internal
organizations both identify, report and recover from data breaches is a
positive action that helps avoid future incidents.
(Honan): Last year the State of California State Information Security
Office released its "Information Security Guide For Agencies". The
guide is well worth a read by anyone looking to implement an information
security management system and other states, and indeed private
organisations, would do well to learn from California's example.
http://www.oispp.ca.gov/government/documents/pdf/Info_Sec_Program_Guide_Final_Oct07.pdf

MISCELLANEOUS
 --Georgian Cyber Attacks Traced to Russian Online Forum
(October 16 & 17, 2008)
An investigation into August's cyber attacks launched against Georgian
government websites indicate that they were "coordinated through a
Russian online forum," and while "there was no external involvement or
direction from State organizations," Russian officials appear not to
have stepped in to stop the attacks. The group launching the attacks
had a list of known vulnerabilities in the targeted websites along with
instructions for exploiting those holes. The attackers apparently used
SQL injection attacks to render the targeted sites inaccessible.
http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_forums_f.html?nav=rss_blog
http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report

 --NIST Request for Information Seeks "Revolutionary Ideas" for Cyber Security
(October 14, 2008)
The National Institute of Standards and Technology (NIST) has issued a
request for Information (RFI) on behalf of the National Coordination
Office (NCO) for Networking and Information Technology Research and
Development (NITRD) seeking "just a few revolutionary ideas with the
potential to reshape the [cyber security] landscape." The RFI marks the
kickoff for the National Cyber Leap Year, which aims to develop
"game-changing ideas" to make cyberspace safe for the American way of
life." The first phase of the project will gather ideas; the second
phase involves development of the best of those ideas. Ideas must be
submitted by December 15, 2008. The project is part of the
Comprehensive National Cybersecurity Initiative (CNCI).
http://www.fcw.com/online/news/154063-1.html?type=pf
[Editor's Note (Schultz): This is a tremendous idea. We have been using
time-proven but aging methods and strategies; it is time to consider
new, promising ideas to address the rapidly evolving, very serious types
of threats that seem to constantly be manifesting themselves.
(Paller): Some extraordinary people are behind this effort and they have
access to a substantial amount of money test and further develop some
of the best of the new ideas uncovered in this search.]

*************************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is Executive Officer of the California
Office of Information Security and Privacy Protection.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security
courses at Minnesota State University, Mankato. He is the President of
Prudent Security LLC and also serves as the President of the Mankato
Chapter ISSA.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkj+AkYACgkQ+LUG5KFpTkZ79ACdGlWDWmmqTgPPYog0KVAKnqlc
Kx4An0+TyfCiiOv5iohg49E8WHuUxrGs
=pSNy
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]